ET WORM TheMoon.linksys.router 1

Notice: Monitoring services will be discontinued from March 31st, 2019.

 

The Moon that has affected select older Linksys Wi-Fi Routers and Wireless-N access points and routers.

What is The Moon malware?

The Moon malware bypasses authentication on the router by logging in without actually knowing the admin credentials.  Once infected, the router starts flooding the network with ports 80 and 8080 outbound traffic, resulting in heavy data activity.  This can be manifested as having unusually slow Internet connectivity on all devices. The attacks seems to be the result of a worm -- a self-replicating program -- that compromises Linksys routers and then uses those routers to scan for other vulnerable devices. We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900."

The worm, which has been dubbed TheMoon because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie "The Moon," begins by requesting a /HNAP1/ URL from devices behind the scanned IP addresses. HNAP -- the Home Network Administration Protocol -- was developed by Cisco and allows identification, configuration and management of networking devices.

The worm sends the HNAP request in order to identify the router's model and firmware version. If it determines that a device is vulnerable, it sends another request to a particular CGI script that allows the execution of local commands on the device.

What should I do to prevent this malware from infecting my router?

There are several steps on how to prevent The Moon malware from infecting your network.  Follow the steps below to learn how,

Step 1:
Access the router’s web-based setup page.

Step 2:
Verify if your Linksys router has the latest firmware.  The current firmware version can be seen in the upper-right corner of the web-based setup page.  If your router doesn’t have the latest firmware version, update it through the Linksys Support Site.

NOTE: To check the firmware version of a Linksys Smart Wi-Fi Router using Linksys cloud account,

NOTE:  To check the firmware version of a Linksys Smart Wi-Fi Router using Linksys cloud account,


Step 3:
Once you have verified that the router has the latest firmware, click the Administration tab.
 


NOTE:  If you have upgraded the firmware of the router, access the router’s web-based setup page again then click on the Administration tab.

Step 4:
Make sure that the Remote Management option under the Remote Management Access section is set to Disabled.



Step 5:
Click the Security tab.


 Step 6:
Make sure that the Filter Anonymous Internet Requests option under Internet Filter is checked.

Step 7:
Click Save Settings.

Step 8:
Powercycle the router by unplugging it from the power source then plugging it back in.  This should clear the cache and remove the malware if your router has been infected.


  • 8 Users Found This Useful
Was this answer helpful?

Related Articles

ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)

Notice: Monitoring services will be discontinued from March 31st, 2019. A vulnerability exists...

WEB_SERVER ColdFusion administrator access

Notice: Monitoring services will be discontinued from March 31st, 2019. The ColdFusion...

OS-OTHER Bash CGI environment variable injection attempt

Notice: Monitoring services will be discontinued from March 31st, 2019.   This vulnerability...

SERVER-APACHE Apache Struts remote code execution attempt

Notice: Monitoring services will be discontinued from March 31st, 2019. SummaryA critical...

ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY

Notice: Monitoring services will be discontinued from March 31st, 2019. XXE (XML External Entity...